The latest scam? Your voice can be used against you

“This call will be recorded for quality, training and verification purposes” is a familiar phrase heard when seeking assistance from an airline, bank or any type of customer service situation. However, the question that comes to mind is under what circumstances these recorded logs are used?

It’s not widely known, but if the business being called is handling monetary transactions or could be at risk of fraudulent activities, these voice recordings can be used to verify the authenticity of the caller. Why is this important? According to the Australian Competition and Consumer Commission, Australians lost $711,951 to identity theft last year, including more than $91,000 in December alone. More than one in five identity scams involved a telephone.

Hence, it’s important to know how your call is being verified and the ways fraudsters are taking voice recognition to a whole new level.

How calls are verified

In the minutes before being transferred to a customer service agent, call centres rely on their own proprietary or third-party software to verify the authenticity of callers. This works similar to caller ID but with the additional data layer of understanding whether the number dialling into the support line actually belongs to an individual or is registered at a physical location. In addition, call centres maintain a black-list of telephone numbers where fraudulent activity is known to occur. This enables the call centre to terminate nuisance or fraudulent callers before it even reaches customer support.

Many of these customer service centres utilise recordings and voice biometrics to match a voice with a known fraudulent caller. This is not science fiction! Once call centres started tracking telephone numbers, fraudsters switched to using burner or throw-away phones and even resorted to moving locations in an attempt to get around the black-list of bad telephone numbers. With voice biometrics, if a bad actor manages to perform a fraudulent transaction then their voice which is recorded for verification purposes, is cataloged and flagged.

Another tactic that has been deployed by fraudsters has been a variation of “man in the middle” attacks using an auto dialling PABX. All it takes is for a PABX to dial a targeted phone number of a customer (sometimes with a recorded message prompting the caller to contact the bank) while simultaneously dialling the bank’s helpdesk. What then ensues, is a conversation of ‘who dialed who’ leading the bank to ask the customer to identify themselves potentially with their telecode, all while the PABX is listening in and recording the conversation and details in the background. At the completion of the call, the PABX sets up another call working its way through its customer list. These attacks can be hard to stop as the number to block is unknown on the caller ID and it requires a court order to have carriers to block the overseas number.

How fraudsters took voice recognition one step further

Hold on, the nightmare is far from over. Fraudsters have devised a plan to get past the black-listed catalogue by calling random individuals, enticing them to speak and then recording their voices. For example, an unknown caller might ask close ended questions such as “can you hear me” prompting the receiver to answer, “yes” or “no”. These voice recordings are then used to dial into a call centre to either defraud a company or another person’s account. Imagine that — fraudsters are creating databases of “innocent” voices. It’s chilling. Here are some measures to protect against this scam: -

Use caller ID religiously – Before answering a call, ensure that the person on the other end of the line is someone familiar. If caller ID doesn’t recognise the number or the caller ID shows unknown, then send them to voice mail. It’s reflexive to want to answer a call but given how technology can be abused, it’s time to think before answering a call.

Hang up – If the caller is asking close-ended questions such as “Are you the homeowner?” and there’s no reason to believe a call is valid then hang up. Any legitimate caller will call back and can be sent to voice mail to leave a message.

Two-factor authentication – Use two-factor authentication to protect all online accounts. This helps to prevent fraudsters from even initiating a transaction on an individual’s behalf. Note that if fraudsters can’t initiate a transaction then they cannot proceed with their plans.

Strong passwords: Be sure strong passwords are used and re-using passwords is a rookie error. Even if it’s easier to use the same password across all your web sites, don’t do it! Accounts that hold sensitive information like bank or stocks, require strong passwords, changed frequently.

At a time when personal information is readily accessible online, it’s time to start thinking defensively about the channels in which information can be retrieved, such as telephone calls. The key is to listen and think before answering questions, and not hesitate to hang up or send the caller to voice mail. They can always call back if it’s really important.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.